General discussion

  • Creator
  • #2336506

    Restricting logon access


    by richard shortland ·

    I need to find a way of restricting access to a particular domain only. At present we have 2 domains here an nt4 based curriculum domain and a windows 2000 based admin domain. The workstations on the nt4 domain has been configured using system policys to allow access only to that domain, however I need to configure the windows 2000 workstations on the admin system to logon to that domain only. Any ideas?

    Thanks in advance

    Richard Shortland

All Comments

  • Author
    • #3402958

      Restricting logon access

      by timwalsh ·

      In reply to Restricting logon access

      I’m going to make a couple of assumptions here.

      1. You have 2-way trust relationships set up between the 2 domains. Otherewise, users from one domain would not be able to access the other domain without a user account in that domain.
      2. This is an issue of “convenience/confusion prevention” vs. security. I.E. This is an issue of keeping users from logging on to the wrong domain because they don’t pay attention to which domain they are logging on to, vs. you don’t want users in one domain to have access to resources in the other domain.

      I cannot find any Group Policy settings that will specifically prevent users from logging on to a domain different from their home domain.

      If there is no need for users in one domain to access resources in the other domain, your easiest fix may be to just dump the trust relationships. Inter-domain access is the primary purpose of trust relationships. If only a few users need access to both domains, it may be simpler in the long run to just create accounts in both domains for these few users.

      If my second assumption is wrong (i.e it is a security issue), your problem can be solved by setting up permissions on shared resources. With trust relationships set up, users in one domain can only access those shared resources in the second domain that have permissions set to “Everyone.” Otherwise, the second domain’s administrator can set up specific permissions for the first domains users.

      Hope this helps.

    • #3665898

      Restricting logon access

      by richard shortland ·

      In reply to Restricting logon access

      This question was closed by the author

Viewing 1 reply thread